Credit to Author: Lily Hay Newman| Date: Sun, 24 May 2020 02:17:00 +0000
Over the years, Apple has made it prohibitively difficult to jailbreak iOS, which lets you install whatever software you want on the normally locked-down devices. But on Saturday, the jailbreaking team Unc0ver released a tool that will jailbreak all versions of iOS from 11 to the 13.5. It's been years since jailbreak has been available for a current version of iOS for more than a few days—making this yet another knock on Apple's stuttering security image.
Unc0ver says that its jailbreak, which you can install using the longtime jailbreaking platforms AltStore and Cydia (but maybe don't unless you're absolutely sure you know what you're doing) is stable, and doesn't drain battery life or prevent use of Apple services like iCloud, Apple Pay, or iMessage. And the group claims that it preserves Apple's user data protections and doesn't undermine iOS's sandbox security, which keeps programs running separately so they can't access data they shouldn't.
"This jailbreak basically just adds exceptions to the existing rules," Unc0ver's lead developer, who goes by Pwn20wnd, told WIRED. "It only enables reading new jailbreak files and parts of the filesystem that contain no user data."
Early public reactions to the jailbreak, including from researchers who tested it before its release, indicate that it works as intended. But the community hasn't yet had time to fully assess the jailbreak or Unc0ver's claims about its security protections. And the tool isn't open source, which means it will be more difficult to analyze.
"It’s very in line with the early jailbreak spirit."
Will Strafach, Guardian Firewall
The jailbreaking heyday of iOS largely wound down with the release of iOS 9 in 2015; that's when Apple introduced a new kernel security feature called Rootless and other initiatives to safeguard iOS. But over the last year, the community has begun to storm back. In August, Apple accidentally reintroduced a previously patched flaw in iOS 12.4 that gave enthusiasts a few days of jailbreaking before reinstating the fix. Then in September, a researcher published details of an unpatchable Apple hardware flaw that could be exploited to jailbreak virtually every type of Apple mobile device released between 2011 and 2017, including iPhones, iPads, Apple Watches, Apple TVs. Known as checkm8, the disclosure marked a turning point, since it promised unprecedented open access to a large population of Apple mobile devices. But checkm8 didn't extend to devices Apple released after 2017.
Today's Unc0ver jailbreak is the first built on a so-called zero day vulnerability in years. This means that Unc0ver did not disclose its findings to Apple in advance, and that there's no patch coming in the next few days that will block the jailbreak. The flaw is in iOS's kernel, the program at the heart of an operating system. Both Pwn20wnd and independent iOS security researchers estimate that it will take Apple two to three weeks minimum to prepare a fix unless they have already found the bug independently and are in the process of patching it. Apple did not return a request from WIRED for comment.
"I am just personally excited to see a no-bullshit jailbreak dropped for the latest iOS," says Will Strafach, a longtime iOS jailbreaker and creator of the Guardian Firewall app for iOS. "It’s very in line with the early jailbreak spirit."
"It is a great accomplishment," says axi0mX, the researcher who discovered checkm8. "Pwn20wnd was able to find his own vulnerability in iOS and use it to make another jailbreak."
Though attackers can use jailbreaking to compromise devices, since it often opens the door to installing more types of malware, the research community generally embraces the practice. Jailbreaks make it easier to remove Apple's restrictive protections, analyze how iOS behaves, and probe potential weaknesses and flaws. Apple and iOS-focused security researchers have been locked in an increasingly heated battle over the tradeoffs of Apple's stringent security protections. Researcher say that these defenses can make basic security assessments—like whether an iOS device has been compromised by malware—harder to execute. Apple sued the security company Corellium last year for making an iOS emulator that researchers can use to analyze the operating system.
"Having a full-fledged jailbreak makes future security research easier," Pwn20wnd says.
For its part, the new Unc0ver jailbreak can be very stealthy. If you back up your device before installing the jailbreak, you can later erase all traces of it by reverting to that backup. The kernel modifications the jailbreak tool makes don't persist when you reboot your device, but the jailbreak files themselves remain in the device's filesystem, making it easy to reestablish the jailbreak by simply running the tool again.
Apple has had its hands full with iOS security complications in recent weeks. The firm Zerodium, which buys and sells zero-day exploits, said last week that it is pausing collection of most types of iOS vulnerabilities due to high supply. And the company suggested that iOS exploit chains used to take over iPhones—once coveted for their power and scarcity—may soon drop in price, perhaps indicating that iOS vulnerabilities are now easier to come by. In September, Zerodium sold an Android hacking tool for more than its iOS tools for the first time.
Meanwhile, Motherboard reported on Friday that a leaked early version of iOS 14, the operating system that isn't slated to be released until September, has been circulating among a small group of researchers since February if not before. The revelation explains how news of upcoming iOS 14 features has trickled out consistently for weeks. The leak isn't a complete build of iOS 14, and it will likely be very different from the final release later this year, but it still gives experienced researchers a head start on analyzing the operating system.
And if the leak is truly an internal iOS build, it likely includes some of Apple's own analysis tools that are never released publicly, says Patrick Wardle, an Apple security researcher at the enterprise management firm Jamf "The rest of iOS 14 will be out in beta shortly," Wardle says, "but in my opinion having access now to internal content—security tools, tests, and fuzzer—would be the most valuable part of the leak to security researchers." A fuzzer is a tool for seeing how software handles invalid or unlikely inputs, helpful for heading off unintended behavior.
Wardle suggests that the iOS 14 leak may be related somehow to Unc0ver's new iOS 13.5 jailbreak release. But Pwn20wnd denies any connection: "Not at all, I don't operate with leaked iOS builds."
Regardless, both the leak and the jailbreak of a current iOS version indicate a shift in the atmosphere surrounding iOS security. And Pwn20wnd is confident that there's more jailbreaking to come. When asked if the jailbreak released on Saturday would work in iOS 14, Pwn20wnd said, "Depends on whether Apple manages to patch my kernel vulnerability before iOS 14 or not. But in any case, I will eventually make a new 0day jailbreak."